Security

Regional Banks Face Off Against Hackers

Regional banks and credit unions adopt sophisticated tools to protect against international hackers and internal threats.

Alan Joch

Twitter

Alan Joch has been an independent business and technology writer for more than a decade. His expertise includes server and desktop virtualization, cloud computing, emerging mobile applications, and cybersecurity.

Banks were considered attractive targets for thieves long before Depression-era robber Willie Sutton supposedly quipped “because that’s where the money is.” Today, technology-enabled thieves are more numerous than ever. Financial services companies reported 642 security incidents in 2014, with 43 percent resulting in confirmed data loses — the third highest among all industry sectors, according to the Verizon “2015 Data Breach Investigations Report.”

Stats like those hit home for IT managers at regional banks and credit unions, who see public trust as the cornerstone of their institutions’ success. Accordingly, they remain diligent about security fundamentals: timely software patching, using the latest malware protection and training employees to resist social engineering. But some executives, such as Jon Biskner, vice president of IT at Wisconsin’s Nicolet National Bank, go well beyond the basics to fight sophisticated cyber-Suttons.

“I don’t think state-sponsored hackers know about or are targeting Nicolet National Bank,” says Biskner, whose company manages $1.2 billion in assets and 23 branches, including its Green Bay headquarters. “But hackers scan a broad spectrum of companies, looking for the easiest opportunities to exploit. If they see an opening in a bank, they try to use it to access personal information, credit and debit card numbers or anything else of value.” line of defense

To keep Nicolet from becoming an easy target, Biskner uses a combination of next-generation firewalls (NGFWs) and a cloud-based analysis service from Palo Alto Networks to quickly identify suspicious traffic and take appropriate action. He says the NGFWs inspect all layers of the network protocol stack to provide insights about all the data and applications flowing into Nicolet’s network. By comparing traffic to preset security policies and filters, the NGFWs block risky files or alert the IT staff when suspicious activities are revealed.

Biskner teams the NGFWs with additional cloud-based services from Palo Alto Networks that send suspect traffic to an offsite location where it is confined to a virtual sandbox, analyzed for risk and compared with other known exploits. For example, cumulative reports may point to a rise in suspicious activity in a certain part of the world, along with IP addresses associated with the attackers.

“The cloud contains information about the latest threats being seen by all types of organizations,” Biskner says. “So we’re being alerted to new types of attacks that we haven’t seen yet but that may be coming our way.” Once he receives an alert, he can update policies in his NGFWs to spot traffic that fits the emerging profile.

NGFWs also enforce white lists — the applications approved by Nicolet’s IT department. “If someone tries to load an app that isn’t on the list, it automatically gets blocked and sent to the sandbox,” he says. To show the effectiveness of security practices, Biskner is developing a dashboard that summarizes the number of threats that have been stopped and other key information.

“I’ve read that one in four organizations will likely be breached in the next two years,” Biskner says. “That alone should convince everyone how important it is to stay on top of security.”

$174

The cost, per record, of a malicious or criminal data breach

SOURCE: Ponemon Institute, “2015 Cost of Data Breach Study: Global Analysis,” May 2015

Beyond the Basics

Analysts say banks and credit unions are wise to deploy advanced security technology to identify unusual end-user activities and anomalies in workflows.

“There’s a growing recognition that traditional prevention technologies haven’t fully worked, because they only stop known threats, not zero-day attacks,” says Eric Parizo, senior analyst for enterprise security at consulting firm Current Analysis. “The idea now is to use newer detection capabilities that complement prevention systems.”

In addition to malware sandboxing, these technologies include network- and endpoint-based threat detection.

“We’ve been seeing vendors combining all three capabilities within single, integrated packages,” Parizo says. threat management

Ron Dinwiddie, executive vice president and CIO at Texas Trust Credit Union, an $890 million institution with 15 locations in the Dallas/Fort Worth area, also suggests layering NGFWs on top of basic defense.

He uses Fortinet’s FortiGate NGFWs and the platform’s associated unified threat management module for detailed looks into traffic characteristics.

“The quantity and the value of the information that they’re collecting now is much greater than it was with the traditional firewalls we had been using,” he says.

Texas Trust contracts with a managed security service provider (MSSP) to monitor collected data and to ensure nothing important slips by.

“In the past, there were so many logs to review that we couldn’t go through them all,” Dinwiddie says. “Now, our MSSP calls my security coordinator whenever there’s suspicious traffic and asks whether we recognize it or if we want to block it immediately,” he says.

Other safeguards include Barracuda Networks’ Email Security Service, a cloud-based platform. “All of our email goes to that service before it ever gets to us to filter out infected attachments or other problems,” Dinwiddie says. Virtualized Security

Flushing Bank, which has 18 locations in New York City and Long Island, shores up security with virtual desktop infrastructure (VDI) based on VMware Horizon. By housing all data and applications on servers in central data centers, the bank closely manages and controls security policies and access to sensitive information.

“This gives us greater peace of mind,” says Alexander Gellerman, the bank’s vice president of systems infrastructure.

Insider Protection

Because no data is stored on local desktops, Gellerman and his IT staff don’t worry that financial information will be exposed if a notebook is lost or stolen. VDI also mitigates the threat of an insider stealing data, something that Gellerman says banks must consider as part of their security strategy.

“Since nothing is running on local hard drives, the risk that a user will store something locally and then walk away with it is zero,” he says.

As a bonus, Flushing Bank realizes VDI benefits beyond heightened security, including much faster desktops, Gellerman says.

All three banking IT leaders say the consequences of a breach are so great, only shortsighted institutions would be tempted to pinch pennies in this area. “Some companies don’t always run the latest and fastest PCs, and maybe that’s fine,” says Texas Trust’s Dinwiddie. “But if you skimp on security, it can ultimately destroy your business if you’re hacked.”

White Hat

Lessons from a White Hat

Nicolet National’s Jon Biskner regularly conducts stealth security tests to see how well employees guard against social engineering exploits. His goal isn’t a game of gotcha, but something much more constructive: teaching opportunities. In one case, he placed a number of thumb drives labeled “payroll” throughout various work areas: “I wanted to see how many people picked them up and plugged them into their computers.”

A majority of the devices were plugged into corporate resources, and because hackers could use these devices to deliver a malicious payload, Biskner and his team developed an ongoing education and testing program to raise awareness about employee-assisted risks.

“Our message is, if you receive something you weren’t expecting, don’t open it or plug it into your computer,” he says.

With the ongoing education and testing program, “people are becoming much more careful,” he says.

Darren Hauck